North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Growing DoS attacks

  • From: Sabri Berisha
  • Date: Fri Jan 18 04:21:26 2002

On Thu, 17 Jan 2002, Pascal Gloor wrote:

Hey Spale :-)

> If you run an well dDoS'ed IRC Server on your network I have a solution for
> you... not the best one, but still technically working..
>
> get a /24 (be carefull that there is no bigger network announced which would
> include it!!! i mean like if you get 10.10.10/24, 10/8 would include it)

For those of you who don't really get the picture here, here is a real
life example:

My boss hosts the proxyscanner for the Undernet IRC network. For kiddies,
this means they are unable to load floodnets onto the Undernet. This makes
it a sitting ddos target. Fortunately, no real DDoS have taken place (just
a few in december of about 10mbit/s each) but in case they do, I just stop
announcing 193.109.122.0/24 to my uplinks. This netblock was requested and
assigned specially for the IRC service. No, it's not a waste of IP space,
we host other "ddos sensitive" stuff in there too.

The fact that most DDoS attacks are IRC related imho points out with the
kind of people we are dealing with. Young kids who's ego is bigger then
their ability to take a step back from someone who calls them names on a
channel they are visiting.

> Get a box, and run Zebra BGPD, which will announce that /24 to your network.
> Then do a script which monitors the traffic to the irc server, and on a
> certain threshold, kill BGPD. wait a certain time, like 15minutes or so, and
> restart BGPD. It would be nice to check the traffic every minute and if 2
> consecutive checks are positive kill bgpd. That mean that you  may be able
> to STOP dDoS to irc servers within 2-3 minutes...

This is a method I personally don't use; this would mean a lot of route
flapping/dampening. If a ddos lasts that long I just stop the
announcements for at least 24 hrs.

On a side note, it is of course a shame that site administrators have to
take measures going as far as requesting PI ip space from RIPE (or ARIN,
whatever you prefer) in order to protect their networks against DDoS
attacks by young people who probably don't have the slightest idea what
they are doing.

-- 
Sabri Berisha
					"I route, therefore you are"
~ my own opinions etc ~
					http://www.cluecentral.net